commit 417e99f428d9b629c613fe860033e775be9de420 Author: Hugh Davenport Date: Mon Sep 24 13:23:39 2012 +1200 Remove clamav from site admin options Bug #1055232 When a site administrator can manipulate the path for the clamav scanner, they could produce either a reverse shell, or allow any user to execute arbitrary remote commands by setting it to an uploaded reverse shell, or to /bin/bash respectively. Other executable paths, namely pathtozip, and pathtounzip are only set via config.php, and not through the site admin interface. This option, pathtoclam, should follow the same design. Change-Id: I7d4822c9f54eda80682d6631699c1ab40f1dc896 Signed-off-by: Hugh Davenport diff --git a/htdocs/admin/site/options.php b/htdocs/admin/site/options.php index ab0bc6a..17c4e3d 100644 --- a/htdocs/admin/site/options.php +++ b/htdocs/admin/site/options.php @@ -344,14 +344,6 @@ $siteoptionform = array( 'help' => true, 'disabled' => in_array('viruschecking', $OVERRIDDEN), ), - 'pathtoclam' => array( - 'type' => 'text', - 'title' => get_string('pathtoclam', 'admin'), - 'description' => get_string('pathtoclamdescription', 'admin'), - 'defaultvalue' => get_config('pathtoclam'), - 'help' => true, - 'disabled' => in_array('pathtoclam', $OVERRIDDEN), - ), 'antispam' => array( 'type' => 'select', 'title' => get_string('antispam', 'admin'), @@ -612,7 +604,7 @@ function siteoptions_fail(Pieform $form, $field) { function siteoptions_submit(Pieform $form, $values) { $fields = array( - 'sitename','lang','theme', 'pathtoclam', 'dropdownmenu', + 'sitename','lang','theme', 'dropdownmenu', 'defaultaccountlifetime', 'defaultaccountinactiveexpire', 'defaultaccountinactivewarn', 'allowpublicviews', 'allowpublicprofiles', 'generatesitemap', 'registration_sendweeklyupdates', 'institutionexpirynotification', 'institutionautosuspend',